gog still only using sha-1 to digitally sign files. still okay, crypto security wise, but not for long. (yes, i read white papers and some new moves are happening that are going to be public with tools)

even loner devs (some) now double up and use both sha-1 and sha-256 to sign files.
win 12 will require it anyway, so soon enough they will be forced to add it but still, they should start using it now.

finally, many old games/files (many still sold, so not just those old removed ones) are not even signed. ok, they were released here before digital signatures were truly a thing, but hey, you know, you can sign them anytime.

to the armchair "generals". yes, it's free to add/use different crypto methods and it costs no extra.

the old games that are not signed will soon enough (win12 or maybe 13 if outcry and M$ backs off some) not be installable (or even usable) under future windows versions, so major problem indeed.

IT'S TIME!!!

1.) Start also using SHA-256 to signed files,
2.) Sign old games that were and still are not digitally signed!!!
3.) Add integrity checks to installers that don't have them.

There is one pro for not-signed files. It makes me want to download games solely from gog.com. Any other place might be full of hacked stuff : )

I assume the signing is so it can verify and install on newer versions of windows? Or for error checking?

When Git by Linus Torvalds was working on it, decided on SHA-1 i believe. Basic law of math is you'll start hitting clashes at the square root of the space. (so in 365 days, 1 in 19 people are likely to end up with the same birthday). This means for a 128bit hash, 64bits (18 Quintilian) files would likely need to happen before you get a clash (SHA-1 is 160bit, so...). He decided that was good enough for source code as i understand it. So i'm not sure why 256 would be needed, though it certainly wouldn't hurt.

Even MD5 offers a decent degree of error checking when we're talking about hash collision.

If you're talking about security, yes, the higher the better but even SHA-1 is still more than adequate in that regard. Especially when you're already downloading it from a reputable source.

GOG has time to change if and when it has to. And I'll put on the "armchair general"'s uniform for a minute and remind the OP that ANYTHING gog gets its workers to do costs money, so yes - the crypto software might be potentially free, but the setup costs no-matter how minute you think it is, is a significant issue to consider.

But sure, if you want GOG staff to spend even less time dealing with support tickets and plugging holes in its software, by all means add more jobs on the pile.

Alright, but if I may ask:

Since GOG may already be modifying some of the older titles to strip them of things like codewheel protection or otherwise getting rid of CD checks, what's the point of signing them in the first place?

I can only think of 2 things.

1) Verifies it's untampered/uncourrupted
2) Newer versions of Windows may be refusing to install anything unless it's signed (alright has issues with drivers unless they are signed unless you turn that off)

That is so wrong on so many levels.

1. It's not a law, it's a crude approximation of a much more complicated expression.
2. The actual value is 23, not 19.
3. 23 refers to the number of people in a room before the probability of two people sharing a birthday is more than 50% - not the individual probability of any one person sharing a birthday.
4. It would be 2 of 23 people sharing the same birthday, not 1. You need a pair.

A. Hello is that Microsoft?
B. Yes, this is Microsoft. How may I help you?

A. I have thousands of games I bought from GOG.com, and Windows won't let me install them. What can I do?
B. You should only trust and buy games from the Microsoft Store and partners.

A. Never mind, I've always wanted to try Linux. beep beep beep beep beep ....
B. Gawd That's another one. The 666th customer this week.

The nature of the beast ..... can't really see that happening. :P

I have always wondered - is there any way to verify the checksum of a game file(s) after you donwload it? I rarely use the offline files for installation but I always thought it is a good idea to verify files before installing like for most programs these days. Is that even possible for GOG files ?

Note, i don't have a math major or major, but with entropy involved I've seen hitting this type of multiple instances of the same data/symbol does indeed follow this rule generally; Guess it depends on how the data is approached, be it inclusively growing the statistics, or working with a million pieces of data as a single set while trying to find all the unique symbols within set ranges.

Yep, check out 3rd party downloaders that use the GOG SDK.

gogcli.exe
gogrepo.py
lgogdownloader

They will check out the MD5 state of the offline installers.

That's the quickest method or you can use a much slower test method with InnoExtract, which checks every file inside the offline installers, which is similar to what happens when you install the game. Each offline installer contains a kind of manifest that has MD5 values for every file.

Other than that, I think there is also a list at GOGDB or elsewhere that lists MD5 values.

forgot too, that some (many?) older and older-ish installers do not even have the installer integrity check either. so add that too to missing ones.

tldr; go through installers and;

1.) Start also using SHA-256 to signed files,
2.) Sign old games that were and still are not digitally signed!!!
3.) Add integrity checks to installers that don't have them.